Thinking of switching to Defender for Endpoint?

Moving away from your existing Anti-Virus provider is probably not what you think

On what feels like a weekly basis, I speak to potential clients regarding their endpoint security posture. In almost all cases my first question is “do you currently have Defender for Endpoint?”

Now coming out with what can sound like) a direct anti-virus product query (which it is), can feel confusing if you are unfamiliar with the products capabilities. Which is what has led me to write this article, as in most cases this is due to a misconception of what the Defender for Endpoint provides.?

When looking to procure a solution, in most cases you will already have an existing product you are unhappy with or you are looking to reduce revenue costs whilst getting a better product.

Generally, a list of requirements are formed with your procurement team and you head out in to the world and find product that best meets your needs.

Comparing Products

Your list of requirements probably includes ransomware protection, anti-malware capabilities etc. of common feature sets in most major antivirus products (i.e. Trend, Sophos, Defender for Endpoint), requirements regarding reporting, support and the availability of updates.

There will be 100s of reviews online for various products, with interchanging views of which product is better, you will more than likely have product demos from vendors and resellers all explaining the nuances of how their product is the best in a given area. ?

This leads me to where I think the misconception begins. As an out and out comparison, there are minor differences between each version, which is where Defender may not immediately stand out.

To better explain my position, I’m going to discuss the Defender for Endpoint features which are not historically regarded as antivirus features.

Defender for Endpoint is not just an Antivirus Product

Defender is a security portal providing a wide overview of your endpoint estate.

Many anti-virus products will tell you if your endpoint estate is clean

Defender for Endpoint will tell you if your endpoint estate is secure

The statements are very much generalized, traditional antivirus product offer reporting, the ability to quarantine and remote respond etc., Defender also offers the same capabilities but with the additional layer of oversight and recommended guidance to further harden the endpoint estate.

The Defender for Endpoint security portal has several key features which Microsoft have been working towards for many years using the native sensors and telemetry data from the Windows 10 and Windows 11 operating systems.

Defender holds existing solutions to account, by not telling you what has been deployed, but what is missing.

• Do you want to know which Windows/Office security patches are missing from devices?
• Do you want to know which software applications have vulnerabilities or are end of life?
• Do you want recommendations on security related group policy changes?

The answer to every question can be given through the Defender for Endpoint security portal.

Discovery with Defender

In every instance of Defender being deployed, we have worked collaboratively to help drive significant improvements to the security endpoint estate. With many organizations working towards certification such as Cyber Security Essentials, there is increased challenge to confirm the utility and warranty of a solution.

I have seen situations where clients believe they have patched all devices, where usually their solution will inform the latest patch has been issued. Defender however will take a more subjective approach, looking at a device and flagging any specific missing KBs to any installed product, rather than just the latest patch.

The vulnerability recommendations will flag the update status of all software, highlighting the effectiveness of any automatically delivered patches.

In one example, we transformed an organizations secure score (a Microsoft score of your overall posture) within Defender for Endpoint, by delivering patches (via update rings) within 14 days using Intune, in addition to confirming the delivery of the patches using the above.

Defender also has close integration with the 365 suite, with automated investigation of emails with a native threat tracker. Defender can be partially enabled, without taking over antivirus duties, in a transitional approach to deliver immediate benefit.?

Charting a More Secure Path with Secure Score

The culmination of the areas I’ve touched upon, is brought together within the secure score sub menu. Microsoft Secure Score is a measurement of an organization's security posture, where a list of improvements in order of greatest benefit.

One such example is a recommendation to “Set ‘Minimum password length’ to ’14 or more characters’

The Defender for Endpoint portal describes the recommendation, highlights potential risks of shorter passwords, cites benchmarks such as CIS and STIG, the number of affected devices and provides specific remediation options, listing the exact policy which requires changing.

All of the above saves significant time for the IT team, providing a level of assurance, reference and visibility.

Using the recommendations, a wider view of the organisation is possible, end of life software can be managed out, changes can be aligned to a release schedule to narrow the exposure window, auto updates can be enabled, policy changes can be tested and deployed, with a tangible view to the improvements.

Summary

I have lightly touched on the capabilities within the Defender for Endpoint portal and hope I’ve gone some way of explaining that Defender is not just a like for like antivirus replacement. Microsoft have invested significantly in developing the solution, from what was once poorly regarded to now a leading player in the endpoint security arena.

Replacing an antivirus product like for like is comparable to repairing a broken fence panel every few years. If you have existing Microsoft licensing (E5, A5, 365 Business Premium) your fence may have a perfectly good wall behind it you have already paid for, saving you an ongoing maintenance or replacement cost.

There are many great anti-virus products out there, more and more are bringing in management capabilities such as application control. Microsoft are uniquely positioned as the creator of the Windows OS and the Defender product, which are natively designed to work together, with compliance policies and features deliverable at point of config.

Dependent on your current contract period, you may have months or years left on your existing solution, however some of the benefits can be delivered now without Defender assuming duties as the active antivirus.

Defender for Endpoint is the beginning of a journey, Defender for Cloud, Defender for Identity, Defender for Cloud apps are all capabilities enabling greater oversight and accountability across the IT estate. Teams, SharePoint and Outlook client can also benefit from the governance of the data plain (DLP, retention, audit) using Azure Purview, with a comparable user experience to Defender for adherence to such standards as GDPR, ISO27001, with over 700+ available assessments.

At Integy, we can help you on your journey regardless of your starting point, if your new to the cloud, if you are unsure on Defender, we can work collaboratively with you to deliver outcomes and improve your security posture.?Some of the capabilities are available within the E3, A3 licensing, if you have any queries or would like to discuss further, please get in touch at [email protected]

Written by Cameron Stephens